Tonight I watched my son have a white-hot meltdown. It’s never happened before, but then again, he’s never been stuck in the house with the rest of us for going on 7 weeks now either. So, I have little doubt that a lot of the frustration and fears about what’s happening came out all at the same time. Like those “kitchen sink” risk assessment scenarios I was talking about the other day…
…everything was connected. Not getting to do “anything”…having his sister’s toys that used to be his put back in her room…all of it (and it was a long list).
But, in the end, and after he’d calmed down quite a bit, he was scared to go to sleep—because of the red-eyed monsters he saw outside his window moving the leaves around.
He was sure they were going to get him.
In fairness, it’s not exactly an uncommon theme as far as nightmares goes, and, terrible father that I am, it was probably related slightly to the Justice League movie night a couple of weeks back, but that horse’s long bolted now.
What I ended up telling him was that everybody gets scared—even me.
“But I don’t know how to not be scared,” he said.
So, I told him that what matters isn’t that we get scared. What matters is what we do next. Because while we can’t control the forces in us that make us scared, what we do about it falls directly into that “behavior” bucket I talk about quite a bit. And everything in our behavior is up to us to do…or not do.
All it takes is a decision.
Now, while this might not seem like it at first, it’s a pretty visceral reminder of why risk assessments are so important. Because being able to identify what we’re worried about and then to assess the true nature of those fears as best we can gives us the space we need to (hopefully) make the right decision.
Because, until we can stop the hamster-wheel in our heads – even for a second – we’re not going to have a hope of making a good choice.
In this case, I asked him a bunch of questions. And as he answered each one – sometimes more than once – he began to see more clearly that even when he was scared, we were still going to be there. And not only that, we’d been there before, so at least there’s a precedent.
Of course, as we know, just because something’s happened before doesn’t mean it’ll happen again the same way, but that was a bit above the level I wanted to get into with an over-tired, formerly-hysterical 5 year old.
In our world, sometimes the people we’re trying to protect don’t know enough about all the moving parts to actually be scared about the same things we are. But, most of the time the way we end up explaining it, those things end up falling into the “things we don’t know” bucket, and, as a result, they’re understandably a bit nervous about what those things really mean.
But the way humans work – and even the way language works – is that in order to explain an unknown to someone, the first thing we have to do is frame it in something they already understand. No, a buffer overflow might not mean that much to the owner of a critical business process…
…but I can guarantee they understand the impact of even a slight interruption or delay to that process from their perspective.
We just need to be able to make sure we’re making apples-to-apples impact comparisons instead of apples-to-elephants. Because if we do the latter, and especially if we do it too many times, then we’re going to throw the credibility we’ve built to that point right out the window.
We can’t do that unless we understand what goes bump in the night – or has glowing red eyes, rustling in the leaves – in the worlds of our customers. That’s yet another reason why Principle 2 of the Agile Security System™ exists. And some of the key practices tell us that we need to keep asking questions and validating our assumptions…
…until everyone has a clear and consistent view of the same world.
Because as soon as that happens, you can separate the real problems from the phantom ones, and then you can figure out what to do about them. The right decisions are made. The options have been explored.
And our customers have the confidence to move past their fears and focus on moving towards their objectives…
…even if that objective is being able to sleep in their own bed, all night…all alone.
While this might seem like it’s a relatively straightforward thing to do, what I’ve found when working with our customers all over the world is that it’s one of the weakest areas in a security program. And yet, reliable and relevant risk assessments are one of the critical success factors to the ones that are truly effective.
That’s why the upcoming May issue of Archistry’s print newsletter, Security Sanity™, is going to focus on the 4 key types, and the primary variants within those types, that allow you to match the right assessment to the right problem—while leveraging as much of the work you’ve already done as possible in the process. So, if you want to make sure you’re on the list to get it, you’re going to want to make sure you’re subscribed by the fast-approaching deadline of Thursday, April 30th at 11:59pm US/Eastern.
If you’re not already a subscriber, you can fix this small problem using this link:
And if you are, you don’t have to do anything. It’ll be sent out to you automatically for you to read and immediately apply to your day-to-day security work. After all, that’s why I write them in the first place.
Andrew S. Townley
Archistry Chief Executive